A computer device executes a process using a plurality of physical and logical resources, such as system services, drivers, files and registry settings. Many operating systems include a security module that enforces access rights for each process, whereby the process is permitted (or denied) access to each of the resources, consistent with a set of security privileges allocated to that process. For example, a process of an ordinary user level is able to read from a particular file, but is not permitted to write to that file. Meanwhile, a process of a local administrator level typically has a higher privilege, e.g. is able to both read from and write to that file.
In many operating systems, the security model applies the access privileges based on the user's account. The operating system may define privilege levels appropriate to different classes, or groups, of users, and then apply the privileges of the relevant class or group to the particular logged-in user (e.g., ordinary user, super-user, local administrator, system administrator and so on). The user is authenticated by logging in to the computer device, and the user, via their previously prepared security account, acts as a security principal in the security model. The operating system then grants appropriate privileges to processes which execute in that user's security context.
It is desirable to implement a least-privilege access model, whereby each user is granted the minimal set of access privileges which is just sufficient for the user's desired processes to operate on the computer device. However, in practice, many application programs require a relatively high privilege level, such as the local administrator level, in order to install and operate correctly. Hence, there is a widespread tendency to grant additional privilege rights, such as the local administrator level, and thus user processes gain greater access to the resources of the computer device than is desirable or appropriate from a security viewpoint. For example, these additional privilege rights may then enable accidental tampering with key resources of the computer device, leading to errors or corruption within the device. Further, a particular user process (e.g. an infection or malware) may maliciously access key resources of the computer device with the deliberate intention of subverting security or causing damage.
Therefore, there is a need to provide a mechanism which allows the least-privilege principle to be implemented while still enabling the desired, legitimate, processes to execute on the computer device by accessing the relevant resources. In particular, there is a need to enable higher-level access rights, such as local administrator rights, but without compromising security of the computer device.
The example embodiments have been provided with a view to addressing at least some of the difficulties that are encountered in current computer devices, whether those difficulties have been specifically mentioned above or will otherwise be appreciated from the discussion herein.